Problem Description:

We are trying to configure the single sign on using jboss negotiation.We are able to login successfully if the user is present in active directory.But in case if user is not present in active directory users, it throw 401 error page.Instead of 401 we want user to access login form and authenticate user using different login module.

In our case we have login page we authenticate user on that page.If we receive user credentials we login the user without asking for password.Now if the user credentials are not received then we want user to open login form presenton login page, but before that is throws 401 error.

We have configure the login-config.xml, web.xml and jboss-web.xml as per the documentation.Also defined <web-resource-collection><web-resource-name>Restricted</web-resource-name><url-pattern>/Request</url-pattern><http-method>GET</http-method><http-method>POST</http-method></web-resource-collection> in web.xml

I would like some guidance here as well, although my use-case is a little different.

I would like to fallback to an alternative authent method (in my particular case straight to the AD for a non SSO login, but it could be to an LDAP, or whatver) when SSO doesn't work, e.g. no longer within the domain, I would also like to be able to switch the login mechanism for support reasons, i.e. login as someone else. i.e. on demand.

I can see how I could do this with the SPNEGO (sourceforge) filter, and my own tweaking, but I am less clear how I would go about this with Jboss Negotiation and security realms.

As an aside (sorry), I also have the problem that the ldap roles lookup doesn't seem to work with any of the other ldap module tweaks, e.g. parse username, or %u. This means that my roles lookup isnt working as our AD doesn't store username@adDomain in the user information. As the documentation reads as if one thing extends another this seems a little illogical (and non useful).